From 4a7d1a83580ba9a10df254d6df03a0bc3d8fa726 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 11 Sep 2015 09:24:54 +0000
Subject: Store a reference to the peer certificate (if any) upon completion of
 the handshake. Free the reference when we reset the TLS context.

ok beck@
---
 src/lib/libtls/tls.c          | 7 ++++++-
 src/lib/libtls/tls_internal.h | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 282f68edf6..aa49641ab2 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.24 2015/09/10 18:43:03 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.25 2015/09/11 09:24:54 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -308,9 +308,11 @@ tls_reset(struct tls *ctx)
 {
 	SSL_CTX_free(ctx->ssl_ctx);
 	SSL_free(ctx->ssl_conn);
+	X509_free(ctx->ssl_peer_cert);
 
 	ctx->ssl_conn = NULL;
 	ctx->ssl_ctx = NULL;
+	ctx->ssl_peer_cert = NULL;
 
 	ctx->socket = -1;
 	ctx->state = 0;
@@ -379,6 +381,9 @@ tls_handshake(struct tls *ctx)
 	else if ((ctx->flags & TLS_SERVER_CONN) != 0)
 		rv = tls_handshake_server(ctx);
 
+	if (rv == 0)
+		ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
+
 	/* Prevent callers from performing incorrect error handling */
 	errno = 0;
 	return (rv);
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index a5399d5594..b514847cfe 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.18 2015/09/10 10:14:20 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.19 2015/09/11 09:24:54 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -67,6 +67,7 @@ struct tls {
 
 	SSL *ssl_conn;
 	SSL_CTX *ssl_ctx;
+	X509 *ssl_peer_cert;
 };
 
 struct tls *tls_new(void);
-- 
cgit v1.2.3-55-g6feb